cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you get called away in the middle of writing a post? Don't worry you can find your unfinished post later in the Drafts section of your profile page. X

SSO Integration with Azure AD

epilote
6-Contributor

SSO Integration with Azure AD

Hey, im trying to setup the SSO integration with our Azure AD, on Azure im able to get the correct answer and to test it correctly. on the Chalk side I get : There was an error while testing your Identity Provider:
The 'email' attribute mapping is incorrect.

When i look in the Azure AD app, it's the same email as the one im connected.

 

Do you know if their is special things to do to get this working ?

thanks,

7 REPLIES 7
tmccombie
21-Topaz I
(To:epilote)

Could be a couple different things.

 

Can you confirm the email attribute you are entering into the configuration is correct? You can check this in your metadata.xml file. 

 

The other thing it could be is your email addresses being sent from your IdP have uppercase letters in them. The email addresses coming from your IdP need to match those in the Admin Center exactly and the Admin Center stores emails in all lowercase. 

epilote
6-Contributor
(To:tmccombie)

Looking into the xml it's Email

the email goes as follow :

<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
<auth:DisplayName>Email</auth:DisplayName>
<auth:Description>Email address of the user.</auth:Description>
</auth:ClaimType>

 

In azure, i see the claims being made and it's the same email entered in the portal.

 

tmccombie
21-Topaz I
(To:epilote)

Looks like your email attribute to enter into the SSO configuration is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. Please try using that instead of 'Email' and let me know the results. 

epilote
6-Contributor
(To:tmccombie)

Just tried again in a in-private session and same error 😞

tmccombie
21-Topaz I
(To:epilote)

Can you confirm that your IdP is sending the email address in all lowercase? Azure has a ToLower() claims transformation for this: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

 

If that's all set, please PM me your company info and I'll look into this on our side.

epilote
6-Contributor
(To:tmccombie)

Yes all lowercase,

I will send you a pm with more info.

Thanks !

the problem was resolved, there were two things:

1. Bad entry on the Vuforia SSO configuration database

2. We made the setup using the claim transformation attribute name, for some reason the emailaddress attribute return the uppercase email, even that SAML response was in lower case.

 

Regards,

Ricardo

Top Tags